DESCRIPTION

SYNTAX

The configuration parameters are expressed as a series of sections
containing a number of statements. Sections begin with a keyword
optionally followed by a parameter list. All statements for a section are
enclosed using the '{' and '}' charachters. Statements begin with a
keyword optionally followed by a parameter list and are terminated with
the ';' charachter. Lines that begin with the '#' charachter are treated
as comments.
This document denotes keywords using this font and user supplied
parameters using this font. Optional parameters are enclosed using the
'[' and ']' charachters. Multiple keywords that may be valid for a single
parameter are enclosed using the '(' and ')' charachters and separated
using the '|' charachter.
The defined parameter types are as follows ...
number A decimal number
label A string comprised of alphanumeric charachters
quoted A quoted string enclosed in '"' charachters
address An IP address expressed as x.x.x.x
network An IP network and prefix length expressed as x.x.x.x/y
DaemonSectiondaemon{statements}
Specifies the general configuration for iked(8) operation. This
includes parameters related to the basic network configuration,
log file and debug output. Only one deamon section should be
defined.
socket (ike | natt) [address] number;
An address and port number that should be used for ike or
natt communications. If the address parameter is
omitted, the daemon will attempt to bind to any address
for the given port number. If no socket statements are
specified, the daemon will attempt to bind to all
interfaces for both ike and natt using the default port
numbers ( 500 & 4500 respectively ). Note, the natt
keyword can only be specified if the daemon was compiled
with natt support.
retry_countnumber;
The number of times an exchange packet should be resent
to a peer. The default value for this parameter is 2.
retry_delaynumber;
The number of seconds to wait between packet resend
attempts. The default value for this parameter is 10.
log_filequoted;
The path and file name that should be used for log
output.
log_level(none | error | info | debug | loud | decode);
The log output detail level. The default value for this
parameter is none.
pcap_decryptquoted;
The path and file name that should be used to dump
decrypted ike packets in pcap format. If no pcap_ike
statement is specified, this feature is disabled.
pcap_encryptquoted;
The path and file name that should be used to dump
encrypted ike packets in pcap format. If no pcap_pub
statement is specified, this feature is disabled.
dhcp_filequoted;
The path and file name that should be used to store a
dhcp mac address seed value for dhcp over ipsec
negotiation. If no file is present, the file will be
created.
NetworkGroupSectionnetgrouplabel{statements}
Specifies a group of networks that can be refferred to by the
assigned label. Multiple netgroup sections may be defined.
network;
A network to be associated with this network group.
XAuthLDAPSectionxauth_ldap{statements}
Specifies the LDAP configuration to be used for when the
xauth_source is set to ldap for a given peer section. Only one
xauth_ldap section should be defined. Note, an xauth_ldap section
can only be defined if the daemon was compiled with LDAP support.
versionnumber;
The LDAP protocol version to be used ( 2 or 3 ). The
default value for this parameter is 3.
urlquoted;
The LDAP server url. For example, a url may look like
"ldap://ldap.shrew.net:389".
basequoted;
The base dn to be used for LDAP searches. For example, a
base dn may look like "ou=users,dc=shrew,dc=net".
subtree(enable | disable);
The search scope to be used for LDAP searches. If
enabled, searches will be performed using the subtree
search scope. If disabled, searches will be performed
using the one level search scope. The default value for
this parameter is disable.
bind_dnquoted;
The dn to bind as before performing LDAP searches. If
this parameter is omitted, searches will be performed
using anonymous binds.
bind_pwquoted;
The password to use when a bind_dn is specified.
attr_userquoted;
The attribute used to specify a user name in the LDAP
directory. For example, if a user dn is
"cn=user,dc=shrew,dc=net" then the attribute would be
"cn". The default value for this parameter is "cn".
attr_groupquoted;
The attribute used to specify a group name in the LDAP
directory. For example, if a group dn is
"cn=group,dc=shrew,dc=net" then the attribute would be
"cn". The default value for this parameter is "cn".
attr_memberquoted;
The attribute used to specify a group member in the LDAP
directory. The default value for this parameter is
"member".
XConfLocalSectionxconf_local{statements}
Specifies the Configuration Exchange settings to be used when the
xconf_source is set to local for a given peer section. Only one
xconf_local section should be defined.
network4network[number];
The network that will be used to define a local address
pool. An optional number can be specified to restrict the
pool to a specific size. An address from this pool along
with the network mask are passed to a peer when
requested.
dnss4address;
The dns server address to be passed to a peer when
requested.
nbns4address;
The netbios name server address to be passed to a peer
when requested.
dns_suffixquoted;
The dns suffix to be passed to a peer when requested.
dns_listquotedquoted...;
A list of split dns suffixes to be passed to a peer when
requested. A peer can use this list to selectivly forward
dns requests to the dnss4 server when a query matches one
of the supplied split dns suffixes.
bannerquoted;
The path to a file that contains a login banner to be
passed to a peer when requested.
pfs_groupnumber;
The pfs group number to be passed to a peer when
requested.
PeerSectionpeeraddress [number] {statements}
Specifies the parameters used to communicate with a given peer by
address and optional port number. If the port value is omitted,
the default isakmp port number will be used ( 500 ). If an
address of 0.0.0.0 is used, the peer section can be used for any
remote host. Multiple peer sections may be defined.
contact(initiator | responder | both);
Specifies the contact type when establishing phase1
negotiations with a peer. If initiator is used, the
daemon will initiate contact but deny contact initiated
by the peer. If responder is used, the deamon will allow
contact initiated by the peer but will not initiate
contact. If both is specified, the daemon will initiate
contact and allow the peer to initiate contact.
exchange(main | aggressive);
Specifies the exchange type to be used for phase1
negotiations with a peer. The default value for this
paramater is main.
natt_mode(disable | enable | force [draft | rfc]);
Specifies the NAT Traversal mode to be used for phase1
negotiations with a peer. If disable is used, natt
negotiations will not be attempted. If enable is used,
the daemon will attempt to negotiate and use NAT
Traversal when appropriate. If force is used, the daemon
will use NAT Traversal even if the peer does not
negotiate support for this feature. When force is used,
the draft or rfc modifiers can optionally be specified to
select the required method with rfc being the default if
omitted. The default value for this parameter is disable.
natt_portnumber;
Specifies the NAT Traversal port number to be used for
phase1 negotiations with a peer when acting as an
initiator. The default value for this parameter is 4500.
natt_ratenumber;
Specifies the number of seconds between sending NAT
Traversal keep-alive messages. The default value for this
parameter is 15.
dpd_mode(disable | enable | force);
Specifies the Dead Peer Detection mode to be used with a
peer. If disable is used, DPD negotiations will not be
attempted. If enable is used, the daemon will attempt to
negotiate and use DPD when appropriate. If force is used,
the daemon will use DPD even if the peer does not
negotiate support for this feature. The default value for
this parameter is disable.
dpd_delaynumber;
Specifies the number of seconds between sending DPD are-
you-there messages. The default value for this parameter
is 15.
dpd_retrynumber;
Specifies the number times a DPD are-you-there message
will be retransmitted when no response is received. The
default value for this parameter is 5.
frag_ike_mode(disable | enable | force);
Specifies the IKE Fragmentation mode to be used with a
peer. If disable is used, IKE Fragmentation negotiations
will not be attemted. If enable is used, the daemon will
attempt to negotiate and use IKE Fragmentation when
appropriate. If force is used, the daemon will use IKE
Fragmentation even if the peer does not negotiate support
for this feature. The default value for this parameter is
disable.
frag_ike_sizenumber;
Specifies the maximum number of bytes for an IKE
Fragment. The default value for this parameter is 520.
frag_esp_mode(disable | enable);
Specifies the ESP Fragmentation mode to be used with a
peer. If disable is used, the daemon will create IPsec
SAs without the ESP Fragmentation option. If enable is
used, the daemon will create IPsec SAs with the ESP
Fragmentation option. The default value for this
parameter is disable. Note, ESP Fragmentation is only
valid for IPsec SAs using NAT Traversal. The operating
system must also have support for this feature. ( NetBSD
Only )
frag_esp_sizenumber;
Specifies the maximum number of bytes for an ESP
Fragment. The default value for this parameter is 520.
peerid(local | remote)type...;
Specifies either the local identity to be sent to a peer
or the remote identity to be compared with the value
recieved from a peer during phase1 negotiations. The
valid identity types are as follows ...
address[address];
An IP Address. If the address value is omitted,
the network address used during phase1
negotiations is used.
fqdnquoted;
A Fully Qualified Domain Name string.
ufqdnquoted;
A User Fully Qualified Domain Name string.
asn1dn[quoted];
An ASN.1 Distinguished Name string. If the quoted
value is omitted, the daemon will aquire the DN
from the subject field contained within the
certificate.
authdatatype...;
Specifies the authentication data to use during phase1
negotiations. The valid authentication data types are as
follows ...
pskquoted;
A Pre Shared Secret.
caquoted[quoted];
A path to a OpenSSL PEM or PSK12 file that
contains the Remote Certificate Autority. In the
case where a PSK12 file is encrypted, the second
quoted parameter specifies the file password.
certquoted[quoted];
A path to a OpenSSL PEM or PSK12 file that
contains the Local Public Certificate. In the
case where a PSK12 file is encrypted, the second
quoted parameter specifies the file password.
pkeyquoted[quoted];
A path to a OpenSSL PEM or PSK12 file that
contains the Local Private Key. In the case where
a PSK12 file is encrypted, the second quoted
parameter specifies the password.
life_checklevel;
Specifies the behavior when validating peer lifetime
proposal values. The default level is claim. The valid
levels are as follows ...
obey A responder will always use the initiators value.
strict A responder will use the initiators value if it
is shorter than the responders. A responder will
reject the proposal if the initiators value is
greater than the responders.
claim A responder will use the initiators value if it
is shorter than the responders. A responder will
use its own value if it is shorter than the
initiators. In the second case, the responder
will send a RESPONDER-LIFETIME notification to
the initiator when responding to phase2
proposals.
exact; A responder will reject the proposal if the
initiators value is not equal to the responders.
xauth_source(local | ldap)[quoted];
Sepcifies the Extended Authentication source to be used
for user authentication post phase1 negotitations. The
optional quoted value specifies a group name that can be
used to restrict access to only users that are valid
members of the group. If local is used, the peer supplied
credentials will be compared to the local account
database. If ldap is used, the peer supplied credentials
will be compared to an LDAP account database. The LDAP
source configuration is defined in the xauth_ldap
section. The default value for this parameter is local.
xconf_sourcelocal[(push | pull)];
Sepcifies the Configuration Exchange source to be used
when responding to peer configuration requests. If local
is used, the daemon will supply configuration information
defined in the xconf_local section. The default value for
this parameter is local.
plcy_mode(disable | config | compat);
Specifies the policy generation mode. When disable is
used, no policy generation is performed. When config mode
is used, policy generation is performed during
Configuration Exchange. This allows the daemon to
generate polices using the peers private tunnel address.
When compat mode is used, policy generation is performed
post phase1 negotiations. This allows the daemon to
interoperate with peers that do not support Configuration
Exchanges.
plcy_list{statements}
Specifies a list of network groups and parameters that
can be used to perform policy generation. If no plcy_list
is defined but plcy_mode is set to config or compat, the
daemon operates as if a single include statement was used
that specified a netmap defining all networks.
(include | exclude)label[quoted];
Specifies a netgroup by label for use with policy
generation. When include is used, the daemon will
generate appropriate IPsec policies and pass all
netgroup defined networks during the
Configuration Exchange if requested. A peer would
use this configuration information to selectively
tunnel all traffic destined for any one of these
networks. If exlcude is used, the daemon will
generate appropriate discard policies and pass
all netgroup defined networks during the
Configuration Exchange if requested. A peer would
use this configuration information to selectively
bypass IPsec processing for all traffic destined
to any one of these networks. The optional quoted
string specifies a group name that can be used to
restrict processing of this netgroup to only
users that are valid members of the group. If
XAuth is not performed, statements that define a
group name are skipped.
proposaltype{statements}
Specifies a proposal to be used during SA negotiations
with a peer. The valid proposal types are as follows ...
isakmp An ISAKMP proposal supports the following ...
authtype;
Define the authentication mechanism for
the ISAKMP proposal. The accepted types
are hybrid_xauth_rsa, mutual_xauth_rsa,
mutual_xauth_psk, mutual_rsa and
mutual_psk.
ciphtype[number];
Define the cipher algorithm for this
proposal. The optional number specifies
the keylength for algorithms that support
it. The accepted types are aes, blowfish,
3des, cast and des.
hashtype;
Define the hash algorithm for this
proposal. The accepted types are md5 and
sha1.
dhgrnumber;
Define the DH group for this proposal.
The accepted values are 1, 2, 5, 14, 15
and 16.
ah An AH proposal supports the following ...
hashtype;
Define the hash algorithm for this
proposal. The accepted types are md5 and
sha1.
dhgrnumber;
Define the DH group for this proposal.
The accepted values are 1, 2, 5, 14, 15
and 16.
esp An ESP proposal supports the following ...
ciphtype[number];
Define the cipher algorithm for this
proposal. The optional number specifies
the keylength for algorithms that support
it. The accepted types are aes, blowfish,
3des, cast and des.
hmactype;
Define the message authentication
algorithm for this proposal. The accepted
types are md5 and sha1.
dhgrnumber;
Define the DH group for this proposal.
The accepted values are 1, 2, 5, 14, 15
and 16.
ipcomp An IPCOMP proposal supports the following ...
comptype;
Define the compression algorithm for this
proposal. The accepted types are deflate
and lzs.
All proposals types support the following ...
life_secnumber;
Define the lifetime in seconds for this proposal.
life_kbsnumber;
Define the lifetime in kilobytes for this
proposal.